DirectX: The New Hyper-V Attack Surface

Discover the shocking new attack surface in DirectX, including vulnerabilities in DSGK-VMB, vid-shi-signal-sync-object and DSG_KERNEL_Linux_KERNEL, and how they can be exploited using DxG kernel IOCTLs.

Key takeaways
  • The DSGK-VMB command is vulnerable to attacks due to the lack of proper initialization of variables in the cvn32k_logs structure.
  • The vid-shi-signal-sync-object function is vulnerable to non-pointer reference vulnerabilities, allowing an attacker to control the ISRs and access arbitrary memory locations.
  • The DSG_HOST_VIRTUAL_GPU_VMBOS_VMBOS_COMMAND_TABLE_VGPU2_HOST_TABLE table contains a large number of commands that can be used to exploit the vulnerability.
  • The DSG_KERNEL_Linux_KERNEL module is vulnerable to arbitrary address read vulnerabilities due to the lack of proper bounds checking.
  • The DxG kernel through a set of IOCTLs, provides a way to interact with the DSG kernel and exploit the vulnerability.
  • The Hyper-V direct as component architecture provides a new attack surface that can be exploited by an attacker.

More talks

Defender-Pretender: When Windows Defender Updates Become a Security Risk

Close Encounters of the Advanced Persistent Kind: Leveraging Rootkits for Post-Exploitation

MaginotDNS: Attacking the Boundary of DNS Caching Protection

sOfT7: Revealing the Secrets of Siemens S7 PLCs

Attack on Titan M, Reloaded: Vulnerability Research on a Modern Security Chip

Locknote: Conclusions and Key Takeaways from Black Hat USA 2022

Smashing the State Machine: The True Potential of Web Race Conditions

Debug7: Leveraging a Firmware Modification Attack for Remote Debugging of Siemens S7 PLCs